What is PTsnoop.exe?

[jonnyb]

This is listed in my Msconfig's start up. So what is snooping?

------------------
Thanks for everything. I like straight answers. Nothing too techy.
JonnyB

[poppy4]

Hi, found an article in 'Computer user' that answer's your question, ( the modem side of the story). Scroll about halfway down page.

click here

poppy
------------------
E Pluribus Unum
Please post back results



[This message has been edited by POPPY4 (edited 02-23-2002).]

[jdc2000]

It could be a program that was installed as part of your modem software, but it also might be a trojan / backdoor program to allow others to access your PC. Check out the following link:
http://www.europe.f-secure.com/v-descs/ptsnoop.shtml



[This message has been edited by jdc2000 (edited 02-23-2002).]

[carpenturr]

NAME: Ptsnoop
ALIAS: Backdoor.Ptsnoop

Ptsnoop is a simple backdoor program written in Visual Basic. Being activated it first looks for active RAS connections and exits immediately if none is found.

If a connection is present, the backdoor installs itself to system by copying itself as PTSNOOP.EXE file to \Windows\System\ directory and modifying WIN.INI file. The backdoor adds its execution string after LOAD= variable in [Windows] section of WIN.INI file. Diring this operation WIN.INI file gets copied to WIN.ANA file, the backdoor's execution st ring is then added and WIN.INI file is deleted. Then WIN.ANA file is renamed to WIN.INI file. This way the backdoor will become active every time Windows starts.

Being active the backdoor tries to connect to the following websites:


http://setway.cjb.net
http://setway1.cjb.net
http://setone.cjb.net

When the connection succeeds, the backdoor clips cursor to a certain area and allows a hacker or script on these websites to control mouse movement and window positions. It is not clear why this is done and it is impossible to check any more because the contents of the above mentioned websites were changed or removed.

The idea might have been to make a user click on certain areas of a website to download or run a script or binary from there. In any case, this backdoor should be deleted from a system and WIN.INI file should be cleaned from backdoor's execution string after LOAD= variable.

It should be noted that software packages for certain modems contain PTSNOOP.EXE files, but these are not trojans. If you are not sure if that file is a trojan or not, use F-Secure Anti-Virus to check it out.

[DanC]

http://www.europe.f-secure.com/v-descs/ptsnoop.shtml

Quote:

It should be noted that software packages for certain modems contain PTSNOOP.EXE files, but these are not trojans. If you are not sure if that file is a trojan or not, use F-Secure Anti-Virus to check it out.

It could be a modem file or it could be a trojan. If you know what kind of modem you have, go to their website and see if they say something about it in an FAQ. If it's a modem file they probably have had a number of questions about it.

------------------
"If you look at the sun without shielding your eyes, you'll go blind. If you look at the moon without covering your eyes, you'll become a poet." --Serge Bouchard

[spaceman_333]

Hi jonnyb

This may have come as part of the software with a modem. If so,it is not a threat.

spaceman

------------------
...more will be revealed.

[jonnyb]

So I can take it out of start up in Msconfig and it may not run and not cause any problems. I just put a new modem on this PC last week. This is WinME also.

------------------
Thanks for everything. I like straight answers. Nothing too techy.
JonnyB

[jtdoom]

IMHO

simple
just look for ptuninst.exe
if that is present on the driver install disc or on hard drive, its part of the modem software.

ptunisnt uninstalls the driver

------------------
It's caused by my Flemishness...

Kind regards, Jaak